content: Android Capacitor origin is `https://localhost` by default, not `http://localhost`

[NureddinSoltan]

URL

https://ionicframework.com/docs/troubleshooting/cors#what-is-cors

Issue Description

Summary

The CORS docs state that the Android origin is http://localhost. On current Capacitor this is https://localhost by default, because server.androidScheme defaults to https. The current wording leads people to whitelist the wrong origin and get blocked requests on Android.

What the docs say

From the CORS page:

An origin is the combination of the protocol, domain, and port from which your Ionic app or the external resource is served. For example, apps running in Capacitor have capacitor://localhost (iOS) or http://localhost (Android) as their origin.

What actually happens

On a default Capacitor app (no androidScheme set), the Android webview origin is https://localhost, not http://localhost.

Tested on Capacitor 7 with a production backend. The server logged the incoming Origin header per platform:

Android        origin = https://localhost
iOS / iPadOS   origin = capacitor://localhost

The CORS allowlist only started working on Android after adding https://localhost. Adding http://localhost had no effect.

Why

Since Capacitor 6 made https the default androidScheme, the default Android origin is https://localhost. Per the config reference, the origin is androidScheme + hostname. It is http://localhost only if you set androidScheme: 'http'. Also raised in #3639.

Suggested wording

Apps running in Capacitor have capacitor://localhost (iOS) or https://localhost (Android) as their origin by default. The Android scheme follows server.androidScheme, which defaults to https. It is http://localhost only if you set androidScheme: 'http'.

If this looks right, I am happy to open a PR with the change.